Make bulk search fast

vulnerabilities/api.py

@@ -238,40 +238,34 @@ def bulk_search(self, request):
         """
         Lookup for vulnerable packages using many Package URLs at once.
         """
-        response = []
+
         purls = request.data.get("purls", []) or []
+        purl_only = request.data.get("purl_only", False)
         if not purls or not isinstance(purls, list):
             return Response(
                 status=400,
-                data={"Error": "A non-empty 'purls' list of package URLs is required."},
+                data={"Error": "A non-empty 'purls' list of PURLs is required."},
             )
-        for purl in request.data["purls"]:
-            try:
-                purl_string = purl
-                purl = PackageURL.from_string(purl)
-            except ValueError:
-                return Response(status=400, data={"Error": f"Invalid Package URL: {purl}"})
-            lookups = get_purl_query_lookups(purl)
-            purl_data = Package.objects.filter(**lookups)
-            purl_response = {}
-            if purl_data:
-                purl_response = PackageSerializer(purl_data[0], context={"request": request}).data
-            else:
-                purl_response = purl.to_dict()
-                purl_response["unresolved_vulnerabilities"] = []
-                purl_response["resolved_vulnerabilities"] = []
-                purl_response["purl"] = purl_string
-            response.append(purl_response)
-
-        return Response(response)
+
+        query = Package.objects.filter(package_url__in=purls)
+
+        if not purl_only:
+            return Response(
+                PackageSerializer(query.distinct(), many=True, context={"request": request}).data
+            )
+
+        vulnerable_purls = (
+            query.filter(packagerelatedvulnerability__fix=False).only("package").distinct()
+        )
+        return Response(data=vulnerable_purls)
 
     @action(detail=False, methods=["get"], throttle_scope="vulnerable_packages")
     def all(self, request):
         """
         Return the Package URLs of all packages known to be vulnerable.
         """
-        vulnerable_packages = Package.objects.vulnerable().only(*PackageURL._fields).distinct()
-        vulnerable_purls = [str(package.purl) for package in vulnerable_packages]
+        vulnerable_packages = Package.objects.vulnerable().only("package_url").distinct()
+        vulnerable_purls = [str(package.package_url) for package in vulnerable_packages]
         return Response(vulnerable_purls)
 
 

vulnerabilities/migrations/0034_package_package_url.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.0.7 on 2022-11-25 17:28
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('vulnerabilities', '0033_alter_vulnerabilityseverity_scoring_system'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='package',
+            name='package_url',
+            field=models.CharField(blank=True, db_index=True, help_text='The Package URL for this package.', max_length=255),
+        ),
+    ]

vulnerabilities/migrations/0035_add_package_url_to_packages.py

@@ -0,0 +1,34 @@
+from django.db import migrations
+from packageurl import PackageURL
+
+class Migration(migrations.Migration):
+
+    def save_purls(apps, schema_editor):
+        Package = apps.get_model("vulnerabilities", "Package")
+        updatables = []
+        for package in Package.objects.all():
+            purl = PackageURL(
+                type=package.type,
+                namespace=package.namespace,
+                name=package.name,
+                version=package.version,
+                qualifiers=package.qualifiers,
+                subpath=package.subpath,
+            )
+            package.package_url = str(purl)
+            updatables.append(package)
+
+        updated = Package.objects.bulk_update(
+            objs = updatables,
+            fields=["package_url"], 
+            batch_size=500,
+        )
+        print(f"Migrated {updated} packages with package_url")            
+
+    dependencies = [
+        ('vulnerabilities', '0034_package_package_url'),
+    ]
+
+    operations = [
+        migrations.RunPython(save_purls, reverse_code=migrations.RunPython.noop),
+    ]

vulnerabilities/migrations/0036_alter_package_package_url.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.0.7 on 2022-11-25 17:34
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('vulnerabilities', '0035_add_package_url_to_packages'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='package',
+            name='package_url',
+            field=models.CharField(db_index=True, help_text='The Package URL for this package.', max_length=255),
+        ),
+    ]

vulnerabilities/models.py

@@ -531,8 +531,27 @@ class Package(PackageURLMixin):
         to="Vulnerability", through="PackageRelatedVulnerability"
     )
 
+    package_url = models.CharField(
+        max_length=255,
+        null=False,
+        help_text="The Package URL for this package.",
+        db_index=True,
+    )
+
     objects = PackageQuerySet.as_manager()
 
+    def save(self, *args, **kwargs):
+        purl_object = PackageURL(
+            type=self.type,
+            namespace=self.namespace,
+            name=self.name,
+            version=self.version,
+            qualifiers=self.qualifiers,
+            subpath=self.subpath,
+        )
+        self.package_url = str(purl_object)
+        super().save(*args, **kwargs)
+
     @property
     def purl(self):
         return self.package_url